Mark Andrews wrote:
> That said it is possible to completely automate the secure assignment
> of PTR records. It is also possible to completely automate the
> secure delegation of the reverse name space. See
> http://tools.ietf.org/html/draft-andrews-dnsop-pd-reverse-00
It is a lot simpler and a lot more practical just to
use shared secret between a CPE and a ISP's name server
for TSIG generation.
As the secret can be directly shared end to end, it is more
secure than DNSSEC involving untrustworthy third parties.
Masataka Ohta
